Eight Chrome extensions with a combined 7M+ installs are scraping AI chats, or are set up to. Most carry Google's "Featured" and "Verified" badges. Most are owned by data brokers and analytics companies. None of them make it obvious.
What "AI chat scraping" means here
An extension installed in your browser reading your AI chat content (prompts, responses, or both) and sending it to a remote server. Not the same as "tracking which URLs you visit", though most extensions on this list do both.
This is likely done to train distilled models, target the user with advertisements, and I'm sure there's a bunch of other creative uses for this.
Some of these extensions disclose this in their privacy policies, some don't. None of them make it obvious to the user, and none of them have a good reason to be doing it.
Confirmed vs Capability
This list mixes two categories:
- Confirmed: I observed AI chat content leaving the browser in network traffic, with my own eyes.
- Capability: The exfiltration infrastructure is there (remote endpoint, code path, the lot) but didn't fire in our observation window. We attribute this to server-side gating.
Remote config lets an extension fetch instructions from a server at runtime, changing behaviour after install without an update. It's also a convenient way to dodge sandbox detection, which is what we think we're looking at in the Capability entries below.
If an extension falls into either bucket, it's on the list. All flagged by the AIBP system, aside from UrbanVPN (honourable mention, they were caught last year and stopped).
Summary
| # | Extension | Users | Owner | Status | Obfuscation |
|---|---|---|---|---|---|
| 1 | Stylish | 2M | SimilarWeb | Confirmed | Extensive |
| 2 | Poper Blocker | 2M | Big Star Labs LP | Capability | Yes |
| 3 | SimilarWeb | 1M | SimilarWeb | Confirmed | None |
| 4 | StayFocusd | 700k | SensorTower | Capability | LZ-String (light) |
| 5 | CrxMouse | 700k | Big Star Labs LP | Capability | Yes |
| 6 | WhatRuns | 400k | Owned it Ltd | Confirmed | None |
| 7 | StayFree | 200k | SensorTower | Capability | LZ-String (light) |
| 8 | UrbanVPN | 8M+ | UrbanVPN | Historical | lz-string (UTF-16) |
#1 Stylish - 2M Users - Featured & Verified
Status: Confirmed
Stylish is an extension to help add CSS styles to sites to make them look pretty. It could be argued that this is either targeted towards kids, or has a big overlap with a younger audience, but there is no way for us to explicitly prove that kids are using this as we just don't have that information.
Google would be able to work this out however.
Stylish has the most extensive obfuscation we've seen, as we covered here [link]. They exfiltrate all URLs and AI chats from providers like Character AI, ChatGPT, Claude, etc.
But that's okay, right? They explicitly state:
We care about your privacy
Stylish is owned by SimilarWeb.
#2 Poper Blocker - 2M Users - Featured & Verified
Status: Capability (URL exfiltration confirmed)
Poper Blocker (not a typo) is an adblocker/popup blocker.
It does state on their description:
Poper Blocker also receives and analyzes relevant data about visited sites
They obfuscate and exfiltrate every URL you visit and have the infrastructure setup to scrape your AI chats. In our sandbox we did not see them scraping AI chats; however, this looks like sandbox evasion. We suspect a server-side timer gated on user-ID age, since our user ID was newly created.
We did observe them scraping all our URLs with some limited exceptions for PII.
In their privacy policy, they state:
Automatically while using our Services: Personal Information collected automatically or inferred about you while using the Services.
Not something you'd expect from an adblocker.
Poper Blocker is owned by Big Star Labs LP (as stated in their privacy policy).
#3 SimilarWeb - 1M Users - Verified
Status: Confirmed
The official SimilarWeb extension helps users find "similar sites" to the sites they are browsing.
They exfiltrate AI chats and full URLs, even when you're not using the extension. Unlike Stylish, however, they do not obfuscate the exfiltrated data.
SimilarWeb is owned by SimilarWeb (no surprise there), the same owner as Stylish.
#4 StayFocusd - 700k Users - Featured & Verified
Status: Capability
StayFocusd helps users "stay focused" online, avoiding distracting sites. We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled. It has since been enabled.
They exfiltrate almost every URL you visit and have the infrastructure to scrape your AI chats. They do have exceptions: a whitelist of adult sites, US health sites, and some regex for US-focused sensitive data in query parameters, such as social security numbers and zipcodes. This protection is US-centric and breaks for everyone else. UK users get no such filtering.
StayFocusd has all of the infrastructure for this, but in our sandbox again, we didn't see them exfiltrating these AI chats. As above, this can be enabled for specific users, or rolled out after a delay of X days or Y activity.
Some of this data is obfuscated via LZ-String, which could be considered "compression". It's far less extensive than Stylish.
StayFocusd is owned by SensorTower.
#5 CrxMouse - 700k Users - Featured & Verified
Status: Capability (URL exfiltration confirmed)
CrxMouse lets you use gestures to do actions faster, for example, dragging an image to the right opens it in a new tab.
It also obfuscates and exfiltrates all URLs, as we observed, and has remote infrastructure for scraping AI chats.
CrxMouse is owned by Big Star Labs, LP, same as Poper Blocker, same remote config.
#6 WhatRuns - 400k Users - Featured & Verified
Status: Confirmed
WhatRuns shows users "what runs" on the sites they visit, for example if you visit a site that runs WordPress, it'll tell you it runs WordPress. It's actually pretty useful. I (James) previously had it installed, this one hits close to home.
WhatRuns exfiltrates every URL you visit, alongside AI chats. No exceptions here, they don't even bother to obfuscate the requests which is nice to see, although there's no indication to the user this exfiltration is happening.
We observed URL and AI chat exfiltration.
WhatRuns is owned by Owned it Ltd.
#7 StayFree - 200k Users - Featured & Verified
Status: Capability
StayFree, similar to StayFocusd, says it provides "Analytics to help you understand and control your website usage, leading to less distractions and enhanced productivity".
It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.
StayFree is owned by SensorTower (same as StayFocusd).
#8 UrbanVPN (Honourable Mention)
Status: Historical (caught by Koi in 2025, ceased AI chat scraping)
UrbanVPN, the biggest* privacy and security extension on the Chrome Web Store, with over 8 million users. They were exposed by Koi for scraping AI chats.
They don't actually do it anymore, but that's because they got caught. They still obfuscate and exfiltrate URLs, with the obfuscation being lz-string (UTF-16 variant), which I'm sure they'd argue is for "compression" and not to make it more difficult for researchers to evaluate.
They got caught "scanning" AI chats, for "security purposes", quite an interesting reason. They even made a "setting the record straight" blog post, an introduction that always goes down well with the security community \s.
*UrbanVPN seems to have something going on with its user count. We observed it jumping from 8M -> 24M -> 69M -> Unknown. Chrome hides the user count when it detects something suspicious going on.
So what's actually happening here?
These extensions are scraping AI chats and getting away with it.
In some cases, this is disclosed to the user via tiny text next to a big "accept" button. In other cases, it's not disclosed unless you dig for it. There's a lot of "dark patterns" in our opinion, getting the user to say they're over 18 and accept the privacy policy where it's presented to them.
None of this is acceptable. AI chats ideally shouldn't be sensitive, but they sometimes are. There's no good reason these extensions have to send chat content off to their servers. We have no visibility on what they're actually doing with this data, and they're clearly collecting it for a reason.
The Chrome Web Store badge problem
Many of these extensions are from "verified publishers" and are "featured" on the Chrome Web Store, apparently for following "best practices" (including best privacy practices).
In our experience, Chrome only takes away badges when there's a public outcry. Which is why investigations like this matter.
What can users do?
- Audit your installed extensions and remove anything you don't actively use. Permissions persist after install.
- Don't treat "Featured" or "Verified" as a safety signal. Every extension on this list has at least one.
- Run AIBP to scan your extensions, or DIY with a proxy and packet capture. That's how this list was built.
Methodology
Findings here come from the AIBP analysis pipeline (dynamic and static analysis in a sandbox), then manually verified by me, James, watching the AI chat exfiltration happen in my own (sandboxed) browser with my own eyes, inspecting outbound network requests.
Confirmed means I observed chat content leaving the browser in network traffic during manual testing.
Capability means the exfiltration code path and remote endpoint are in place and wired up, but didn't fire in our observation window. We attribute this to server-side gating (remote config, user-ID-based delay, or both).
Where data was obfuscated, we decoded payloads before classifying.